diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 90235f8..097291b 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -34,6 +34,23 @@
     line: datadir=/srv/mariadb
   notify: restart mariadb
 
+- name: create additional config directory
+  file:
+    path: /etc/mysql
+    state: directory
+    mode: 0750
+    owner: root
+    group: mysql
+
+- name: create tls configuration
+  template:
+    dest: /etc/my.cnf.d/tls.cnf
+    src: tls.cnf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart mariadb
+
 - name: enable service
   service:
     name: mariadb
diff --git a/roles/mariadb/templates/tls.cnf.j2 b/roles/mariadb/templates/tls.cnf.j2
new file mode 100644
index 0000000..e193b3f
--- /dev/null
+++ b/roles/mariadb/templates/tls.cnf.j2
@@ -0,0 +1,4 @@
+[mariadb]
+ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
+ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key
+ssl-ca = {{ tls_certs }}/ca.crt